Add tests with filname in token data

2025-04-17 10:10:20 +00:00 · 2018-08-27 13:36:34 -04:00 · 2018-08-27 13:36:34 -04:00 · d520f9acc1
commit d520f9acc1
parent d45f6c7866
2 changed files with 28 additions and 1 deletions
--- a/salt/netapi/rest_cherrypy/app.py
+++ b/salt/netapi/rest_cherrypy/app.py
@ -2089,7 +2089,7 @@ class Events(object):
        # than hex, this will raise a ValueError.
        try:
            int(auth_token, 16)
-        except ValueError:
+        except (TypeError, ValueError):
            return False

        # First check if the given token is in our session table; if so it's a
--- a/tests/integration/netapi/rest_cherrypy/test_app.py
+++ b/tests/integration/netapi/rest_cherrypy/test_app.py
@ -2,6 +2,7 @@

 # Import python libs
 from __future__ import absolute_import
+import os
 import json

 # Import salt libs
@ -163,6 +164,32 @@ class TestRun(cptc.BaseRestCherryPyTest):
        })
        assert response.status == '401 Unauthorized'

+    def test_run_pathname_token(self):
+        '''
+        Test the run URL with path that exists in token
+        '''
+        cmd = dict(self.low, **{'token': os.path.join('etc', 'passwd')})
+        body = urlencode(cmd)
+
+        request, response = self.request('/run', method='POST', body=body,
+            headers={
+                'content-type': 'application/x-www-form-urlencoded'
+        })
+        assert response.status == '401 Unauthorized'
+
+    def test_run_pathname_not_exists_token(self):
+        '''
+        Test the run URL with path that does not exist in token
+        '''
+        cmd = dict(self.low, **{'token': os.path.join('tmp', 'doesnotexist')})
+        body = urlencode(cmd)
+
+        request, response = self.request('/run', method='POST', body=body,
+            headers={
+                'content-type': 'application/x-www-form-urlencoded'
+        })
+        assert response.status == '401 Unauthorized'
+

 class TestWebhookDisableAuth(cptc.BaseRestCherryPyTest):